Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-11231 Stateless NiFi sensitive parameter context support #6993

Closed
wants to merge 11 commits into from
Closed

NIFI-11231 Stateless NiFi sensitive parameter context support #6993

wants to merge 11 commits into from

Conversation

slambrose
Copy link
Contributor

@slambrose slambrose commented Feb 28, 2023
edited

Summary

NIFI-11231

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 11
    • JDK 17

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy - N/A
  • New dependencies are documented in applicable LICENSE and NOTICE files - N/A

Documentation

  • Documentation formatting appears as expected in rendered files

@slambrose slambrose changed the title NIFI-11231 Stateless NiFi secure parameter context support NIFI-11231 Stateless NiFi sensitive parameter context support Mar 7, 2023
exceptionfactory
exceptionfactory requested changes Mar 7, 2023
View reviewed changes
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @slambrose!

I noted a handful a small naming issues, but the basic approach follows the example of other components.

Can you provide some additional background on the intended use case? The Stateless execution environment has a different approach for loading flow parameters using Parameter Value Providers. This is different than Parameter Providers in traditional NiFi, which is part of the reason that Parameter Providers are not supported right now.

@gresockj May also have some additional background from work on both Parameter Providers and Parameter Value Providers.

...mework-components/src/main/java/org/apache/nifi/logging/ParameterContextTaskLogObserver.java Outdated Show resolved Hide resolved
...mework-components/src/main/java/org/apache/nifi/logging/ParameterContextTaskLogObserver.java Outdated Show resolved Hide resolved
...mework-components/src/main/java/org/apache/nifi/logging/ParameterContextTaskLogObserver.java Outdated Show resolved Hide resolved
...fi-stateless-engine/src/main/java/org/apache/nifi/stateless/engine/StatelessFlowManager.java Show resolved Hide resolved
...fi-stateless-engine/src/main/java/org/apache/nifi/stateless/engine/StatelessFlowManager.java Outdated Show resolved Hide resolved
...fi-stateless-engine/src/main/java/org/apache/nifi/stateless/engine/StatelessFlowManager.java Outdated Show resolved Hide resolved
...fi-stateless-engine/src/main/java/org/apache/nifi/stateless/engine/StatelessFlowManager.java Outdated Show resolved Hide resolved
...fi-stateless-engine/src/main/java/org/apache/nifi/stateless/engine/StatelessFlowManager.java Outdated Show resolved Hide resolved
...fi-stateless-engine/src/main/java/org/apache/nifi/stateless/engine/StatelessFlowManager.java Outdated Show resolved Hide resolved
...mework-components/src/main/java/org/apache/nifi/logging/ParameterContextTaskLogObserver.java Outdated Show resolved Hide resolved
@slambrose
Fix variable names.
d8e970d
@slambrose
Move ParameterProviderLogObserver out of core package and into framew…
6293184 
…ork package where all of the other logging files are.

This keep consistency and also makes the class available to stateless NiFi code without needed to add the nifi-core dependency.
@slambrose
Create ParameterProviderLogObserver.java
e04590c
@slambrose
Delete duplicate of ParameterProviderLogObserver
ae7e241
@slambrose
Update StatelessFlowManager.java
988a704
slambrose
slambrose commented Mar 8, 2023
View reviewed changes
Copy link
Contributor Author

@slambrose slambrose left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback/review! I implemented all of the requested changes. For ParameterProviderLogObserver, I found there was already an existing class by this name doing exactly what my class was doing, but in a strange location in the core package. I moved it to the framework->logging package where all of the other LogObserver classes are, and implemented that instead. I also removed my duplicate class.

@slambrose
Copy link
Contributor Author

Use case:
We are attempting to use stateless NiFi in k8s to process data while providing a horizontally scaled approach. Some of our users' flows are using sensitive parameters, so we have to be able to support this in our implementation. @Dye357 is the project lead for the effort, and can give a more robust explanation if needed. I tested this with an SFTP processor using the secure environment variable parameter context, which worked successfully.

@exceptionfactory
Copy link
Contributor

Use case: We are attempting to use stateless NiFi in k8s to process data while providing a horizontally scaled approach. Some of our users' flows are using sensitive parameters, so we have to be able to support this in our implementation. @Dye357 is the project lead for the effort, and can give a more robust explanation if needed. I tested this with an SFTP processor using the secure environment variable parameter context, which worked successfully.

Thanks for addressing the code comments and providing some background on the use case @slambrose, that is helpful.

Have you or @Dye357 reviewed the Parameter Value Provider implementations for NiFi Stateless? The Parameter Value Providers support the use case of supplying sensitive parameter values, which should make the proposed changes unnecessary. If there is some feature gap in the Parameter Value Providers, we should evaluate that for improvement, as opposed to introducing Parameter Providers, intended for traditional NiFi deployments.

@slambrose
Copy link
Contributor Author

slambrose commented Mar 8, 2023
edited

Use case: We are attempting to use stateless NiFi in k8s to process data while providing a horizontally scaled approach. Some of our users' flows are using sensitive parameters, so we have to be able to support this in our implementation. @Dye357 is the project lead for the effort, and can give a more robust explanation if needed. I tested this with an SFTP processor using the secure environment variable parameter context, which worked successfully.

Thanks for addressing the code comments and providing some background on the use case @slambrose, that is helpful.

Have you or @Dye357 reviewed the Parameter Value Provider implementations for NiFi Stateless? The Parameter Value Providers support the use case of supplying sensitive parameter values, which should make the proposed changes unnecessary. If there is some feature gap in the Parameter Value Providers, we should evaluate that for improvement, as opposed to introducing Parameter Providers, intended for traditional NiFi deployments.

Hmm.. I'm not sure Parameter Value Provider would work for us since these have to be passed in on runtime or in the properties file. We're going to be supporting a variety of flows stored in Registry. The goal is to run stateless NiFi with any given Registry url, bucket id, flow id, and flow version. So those flows that utilize sensitive parameter contexts need to be able to work under any running statless nifi pod/container. We wouldn't be changing the run command or properties files for each flow that's processed with stateless NiFi. Instead, they would have to be pulled from some secrets manager or k8s secrets. Let me chat some more with @Dye357 to see if there's anything I'm missing.

@gresockj
Copy link
Contributor

gresockj commented Mar 8, 2023

Hmm.. I'm not sure Parameter Value Provider would work for us since these have to be passed in on runtime and known beforehand. We're going to be supporting a variety of flows stored in Registry. The goal is to run stateless NiFi with any given Registry url, bucket id, flow id, and flow version without any knowledge of what properties/params users have configured in their flows. So those flows that utilize sensitive parameter contexts need to be able to work under any running statless nifi pod/container. We wouldn't be changing the run command or properties files for each flow that's processed with stateless NiFi. Let me chat some more with @Dye357 to see if there's anything I'm missing.

Hi @slambrose, what you describe should be possible with the existing EnvironmentVariableParameterValueProvider. Let me know if you have any other questions about the setup.

@exceptionfactory
Copy link
Contributor

exceptionfactory commented Mar 13, 2023
edited

Closing based on discussion of recommended alternatives. If there are any additional questions on the current implementation, the discussion can be continued under the linked Jira issue: NIFI-11231

@slambrose slambrose deleted the NIFI-11231-Stateless_secure_parameter_context_support branch March 19, 2024 12:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joewitt joewitt joewitt left review comments

@exceptionfactory exceptionfactory Awaiting requested review from exceptionfactory

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@slambrose @exceptionfactory @gresockj @joewitt